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[57] ABSTRACT 

A resource manager in a client/server computer network 
controls the availability of system resources. A system 
administrator gen erates a set of profiles wruchspedfy which 
s ystem resources each user nja^ mrjc^foi^each of multiple 
ap plication programs. Individual application programs may 
internally configure their possible choices of such system 
resources according to the appropriate profile on a dynamic 
basis. 
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CLIENT/SERVER COMPUTER SYSTEMS 
HAVING CONTROL OF CLIENT-BASED 

APPLICATION PROGRAMS, AND 
APPLICATION-P ROGR AM CONTROL 
MEANS THEREFOR 

1. Field of the Invention 

The present invention relates to electronic data 
processing, and more particularly concerns the control of 
system resources in computer systems arranged in a client/ 
server configuration. 

2. Background of the Invention 
There are several broad types of computer systems. In a 

mainframe computer system, a single central processor 
complex running under an operating system executes appli- 
cation programs, stores databases, enforces security, and 
allocates all resources such as processor time, memory 
usage, and subsystem processing. Users interact with the 
system via "dumb" terminals, which essentially only display 
data and receive keystrokes. Peer-to-peer networks of sys- 
tems such as personal computers are essentially standalone 
computers each running similar operating system programs, 
which can share application programs and data among each 
other according to a defined protocol. Client/server networks 
have a central serve r computer coupl ed via a communica- 
tions medium to a number of client computers, usually 
smaller personal computers running under a conventional 
operating system. In the earliest client/server network 
model, the server was only a "file server** which could 
download data to the clients and upload data from them; 
application programs were executed entirely in the client 
computers. That is, the server's function was to store large 
amounts of data, which could then be shared among a 
number of smaller clients. 

Most present client/server networks implement an 
"application server" model in which some or all application 
programs are split into two portions. A server portion 
executes within the server computer, while a separate client 
portion executes within each client computer from which a 
user can invoke the application. The two portions employ 
cooperative processing to pass data between the server and 
client computers; typically, most of the data is stored in the 
server. The first major application of this model was the 
processing of client queries against a central database, so 
tha$ this model is also sometimes known as a "database 
server** network. Newer applications sometimes employ the 
terms "groupware" and 'transaction processing" (TP). 
Advances in technology additionally allow multiple servers 
in the same network, so that a user at a client computer can 
choose to sign on to a number of different servers. A third 
client/server type of network is be ginning to emerge; in the 
"distributed object** model, encapsulated objects containing 
both data and executable code may roam about the network, 
run on different platforms, and manage themselves. In this 
model, clients and servers are not fixed in particular com- 
puters: a given computer may be simultaneously a server for 
one application and a client for another, and a given appli- 
cation may run one computer as its server, and later run 
another computer on the network as a server. 

A network operating system (NOS) mediates communi- 
cations between servers and clients in a network. An NOS 
contains a server control module executing within the server 
computer, and a client control module executing within each 
client computer. These control modules cooperate with each 
other to transfer data (and sometimes code or other objects) 
over the network's communications medium between the 
servers and particular clients. They provide interfaces to the 
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operating systems and application-program portions running 
in the client and server. 

A client/server network contains system resources which 
can be shared by some or all of the other computers in the 
5 network. One or more server processors, for example, are 
scheduled among the tasks of different users. Memory pools 
of various sizes are allocated to tasks being executed and 
awaiting execution. Printers may be physically connected to 
the network as a print server, accessible via a print spooler 
10 to other computers on the network; storage devices may be 
similarly connected as separate file servers. Other capabili- 
ties are also considered to be system resources. For example, 
database applications generally have both an interactive and 
a batch mode for processing queries from a client The 
15 interactive-mode resource uses large amounts of processor 
time, and is frequently restricted to short and/or time- critical 
queries; the batch-mode resource batches multiple queries 
together for processing at times of low processor load. Even 
the ability to execute a given application program can be 
20 considered a resource of the system. 

Each user, sitting at a client computer in a c/s network, 
sees the/server as a virtual part of his own system. For 
example, the client portion of a database application, being 
the same in each client computer or workstation, allows any 
25 user to choose the processor-intensive interactive mode. 
System printers usually appear as possible choices on the 
normal "Prinf 1 menu of a word-processing application 
program, alongside choices for local printers available only 
from the user's own computer. 
30 While system resources appear to be at the total disposal 
of each user, in fact they are shared among all clients on the 
network and among all applications being executed by all 
users. Unlike the more abstract programming objects which 
can be multiplied forever, system resources are physical and 
35 finite, and must be divided among contending users. 

In a mainframe type of computer organization, conven- 
tional central-processor-based operating systems schedule 
system resources, place restrictions upon particular users at 
particular times, block certain users from running certain 
40 applications or from running them in certain ways, and so 
forth. Servers in c/s networks can place restrictions upon the 
resources themselves, and upon which users can access 
certain resources, based upon the identity of the user. Some 
application programs can specify certain resources they can 
45 access, on an individual basis . That is, resource management 
in a c/s network is conventionally done by the server system 
(Le., its operating-system program), or by restrictions which 
are hard-coded into each individual application program at 
the client level or specified by an initialization (.INI) file. 
50 However, no facilities exist for specifying mat user Alice, 
executing a particular program, is restricted to (for instance) 
run database queries only in batch mode, to avoid hogging 
the system with network traffic and processor time; but user 
Bob may run small queries in interactive mode, because he 
55 accesses only small amounts of data, or needs results 
quickly. The problem is that both users upload and run their 
queries from exactly the same database application program. 
Those in the art might respond by denying system r^ermis- 
sion at the server level to user Alice for the interactive mode, 
60 by restricting the number of database records in a query, or 
killing a query after a certain amount of time has been spent 
processing it But Alice might also run another application 
program from her terminal for which she needs interactive 
mode for large queries. Or she may occasionally run smaller 
65 queries which can be serviced in interactive mode without 
significantly delaying other users; many database programs 
have facilities for estimating the resources required to fulfill 
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m allowing or denying particular system resources to par- EMBODIMENTS 
ticular users for particular application programs or in Era - 1 shows a network 100 of computers 110-140 
response to certain factors such as (he size of a query , configured in a client/server configuration. 
Dynamic control of such resources is also precluded. Server computer 110 may be any type of system, from a 

SUMMARY OF THE INVENTION relatively small personal computer (PC) to a large main- 

The present invention provides enhanced and more pre- ™ m£ implancnta,ion below, 

ase control over the use of system resources by users ai.d SSmn- mid : ran 8 e computer, specifically an IBM 
applications in a c/s network of computers. This cootroTis 10 m^Lt^^oZ^S^' " AS/4 °°'" "™ 
^expensive to implement, and does not interfere with co" J£ b^dlyleTs/S^ ° f ffiM Co ^ 

ventional control capabilities already provided by the serv- ■ ^ has one 01 more processors 111, 

er's operating system or by the client's £ta? c^oU»!n7 PU,/ ?T ,t ^ m > 30(1 workstations 

The invention avoids the common procUvitv of older Wrfnl ^ 'J?^ ^ one °™ busses 115. 

application programs to TKak"l^^^L. " are Phyacally atypeofl/O device which interact 

Sded at AeV^or neSlevd " " OTCT ^—cation facilities 150. 

Moreover.resourcerestricUonscanbeimposedinaway (aZ^ Zl^ZT^f"™' ^ ^ 

which is transparent to the user, ratherT, mer e* S ^dS^^^SeS^S 3 ST 

rctuniijig an uelv error me^aee if tu^ »•.• ; / v^^^u umi version o^) are available to handle 

engage L fatoL^Z^ ** * *> * e cornm«mications protocols. 

certain printer for output of data from maScuh^fli ™r™ ^i 4 ?,. 3 * COmmonl y PW«* corn- 
cation. Restrictions can be eirforcTby SKSteSt 30 fw F° } ^£ ? fecDitieS 150 by 151 to fom 
gram's own interface to the ££S, conS J*" 0 * (LAN) ^ SerVer 110 " <*■« 
£Ofile. For example, forbidden ^T^^m vSl^S ^ be employed in any con- 
longer appear on menus or other user-interface constructs niZTrS' ■ ^ ^ contains a processor 
wioain the appUcation programitself, or can be Lb™ J5 to carS S^SSS? - - ^ ^ ^ 
revenflcation. That is, the application program, which acta ^^^^r m 1 ^5 S^ these c om- 
aUy exists as only a smgleprogram, ££^mZ* fth5 fK 5 ^** 1 ** 13«fOTr«sentmgTataToTulef.^ 

zatfon is dynamically variable by a sy^ aaSa^ -^l^fT^^^ 9 ^ 
other authority. The coupling between the rZte andto ^Z"S 1^ ^ nCtWOrk 1W from,he 

applkation programs is mediated by parts ofS^nfrol 40 ^ fo J^ oas ?° 0 P^ormed by me computed of 
program located in the server and Teach diem- S £L1 *L left indicale "» component 

simple to do, because both pieces of mis prn^M «TZnZ^ 8 "7? ^ U °' 
together as a single package. Profiles arTg^erated and 1^1', one of t^nunals 130. A 

stored in the server by asy^cm adaumstra tor Sa uS Z^T ^ users represented by the labels Ul-UN, 
signs onto the network from his client SaLthe s£Z 45 ^™^™™>rtte*™^ 130-140. Any of the 
downloads that user's profile to the tS ite S 2££ W me ^ocition of a pa^- 

interacts with individual appUcation prog^mlk 12 uSTn « ^ •■!* Maa « * established when 

When a user executes a particular p™ 5 SJ^S,'*" ? ^-'! in,lil,al <>? ^ng his logSn 
that terminal, the application programitself governfwhich ^ggord over facilities 150 to servaTli^A^ ,-n 
system resources ^available to ^user XSJ 50 ^"^^^^y^m^n on to any one 

the operating systems or other programs rSnf of thl £35%??" J? ^ ^ aSS ° dation ° f ^ ^ 
client or on the server. B«™s running on me terminal perils until the user signs off from his session 

BRIEF DESCRIPTION OF THE DRAWING t£ZZ£Z22& SS sSlf 

FIG. 1 shows a typical client/server computer network 35 ^ontxols the execution of tasks such as 220-230 running 

which forms the environment of the present invention. on &e server > 03 sy^Iized by arrows 211, 212. Functional 

FIG. 2 is a schematic overview of the client/server net- ^^Ll? 13 0f °P eratin g sy^em employ a niimber of 

work of HG. 1, iocorporating the invention. ™ les 214 for a of conventional purposes such as 

FIG. 3 is a flowchart showing the operation of the c ^8 uratio11 ' *sk priorities, and security. Fox 

mvention within the system of FIG. 2. 60 e * am P le ' OS/400 employs a number of system user profiles 

FIG. 4 details representative profiles of FIG 2 * ^v^-^ for ^ ch user U1 "UN» including the 

FIG. 5 shows a resource-manager-controUed interface of and 

an application program according 8 ^ SSS!^ ^^uagefor messages to that user, 

app^atioV^ « 22 ^^^?!^^^^ 

invention. according to the . 220 ^^typical important example . In FIG. 2, alTother 

applications^eTurnped together afblocks 230. Code mod- 
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interactive mode wherein it «SSLr^ • 1 has an 
ofmtu.g system 210 stares incoming qu ti« s^k 

^^eS^rror' processar22iatai1 

n^T^T',"!?^ 240 executes within server 110 
Sl« ^ * ConWMnicati °» from server factions 
210-250 within Jayerji0_to_cli ej ,t functions 2AU*aa 
execuhng^thin each oft he dtaitaSS 

se^ern^hf ^-^^^l^^togwitnm 
^^^f-^tral is-physically mel^6y4i Sn T 

ating protocols for packaging and timing c^lc^Ti™ 
municated between server U0^i^ifi2*-M? t V,?? 111 " 
«h«e modules m^l^S^-^^ 
mques for identifying which of the 

MO 3 Corp.); adages the physical facilities of client 
130 and controls the execution oftasks STch as S« 

such as sy stenl conflguratioB and t^ir m ,;^Z7 P ? ieS 



35 



LS-5fiLEMeiye_Ear^»aate 



conMUng the communication of information between 
server 110 and clients 130-140 in network 100 aT^ 
pr«e„t time, these tools provide h£££L£S 
IT vl!^ cnha "™t, and database view ed 

vw<ti<t,<Ntt, nied on me same date herewith u 
a portion which resides within irS^S^,^ 

i^G. 3 is a flowchart of a process 300 for carrvino ont th#* 

whether in a server block 210-240, in the serverZucS 
1*! resourcc »^6er, in the client portion aK to 

In^ally, .ftMSwrt; «*, system administrator decides ' ■ 

$e_server tools" column of FIG 3 

260 dr^7,L . 3° r f s ° urce manager client module 
lrtA -"T, ^ UJ ^ ^crvCT 1IU, or to another server in network 



25 



30 



nrotS™ ^ * d3tabaSe 85 811 exa «Ple of an application 
FOSran^ query inanager 291 leceive^uallsi^ttriS! 

a*sct2M of the data from tables 212 in (he server Asif 

^ ^"^■hen^ nTap;^; via the ^ 
not that application nro*™m 31 ^ wnemer or 



SEr « T 6 P™^? wito terminal 130 fa 
15 ? a " tEd * J***™* 131 of the tenmnaT 
SSL mLT^" 1*°^ fa terminal 13oSS 

may execute entirely within * lw! - , OT ^ 



terming The montei?^^™ «»IWdicBt 
^STr^.^^ the opW 



55 



nnT th Q f T- — *«wuic «w oeienmnes whether or 

nqtjhat application program compKes with thr I 

toechent s operation when the user signs off or for any other 

D li« l^l 307 Senses ^ «» re q^sted application com- 

puter for authentication. This step is to^ln^SLSh^ 
appltcatton spoofing, wherein cfde at Z^^ZT^ , 
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represent an application that it is not, or to claim resources whenever a particular user selects an application at block 

that it is not entitled to. Preferably, the application identity 307 — so as to change the application's own menu choices, 

is encrypted before transmission, to prevent a network the list of facilities which it presents to the user. Another 

eavesdropper from intercepting the true identity and modi- method is to establish a special formal application program 

tying or misusing it. If the authentication is proper, block 5 interface, (commonly known as "API") a documented call 

310 transmits a positive response to block 311 in the server.- which allows one program to access a certain function of 

Appropriate encryption and authentication methods are con- another program. 

ventional in the art If execution is not allowed, block 311 nG 4 ents a ^ 4(M> of piofiles such m 252-253 in 

returns control to block 307 for selection of another appU- mG % which m employed ^ ^ procedure 300 described 

cation. (Alternatively, it would be possible to have block 307 10 fa mG 3/[n ±e mM AS/400, the OS/400 operating system 

employ the specific user profile stored by block 306 to iBdades m mteg rated relational database which uses the 

merely eliminate or dim menu choices for the non-allowed well . known sq L (structured query language) interface. A 

applications, so that the user could not choose them m the ^ rf constim te an ordinary table in this 

first place.) That is, the ability to run a given application at databas& ^ row 410-470 of datab ase table 400 lists a 

all can be treated as a system resource for the present 15 ttser or prcdeW group or users 401, the name W cjj 'a 

puipose * " tyrtiniiar application program, a resource 403 potentia lly . /t^^aaQk 

Block 312 actuaUy enforces the resource restrictions u se d by mat program, a value 404 showing a status offfiat 

imposed by the profile stored at 306 for the particular user resource for mat particular user when executing that par- 

for the particular application program, represented by block ticular application, and' a change status 405 for th e valu e 

^313. Application 313 may be any one of a number of* 20 404 " 111 " 

s^s^^ ^umn401m^ 

■^ V ^A« £up^ 

. anetworkyersion which .also K>0 system profile (not sho^of that user. One person 

concurrently exiting in the may of course have multiple sign-ons or user idcntificatioas, 

program requests system ; t ^^ t ^J^J^ ih l and may be amembTcZultiple groups, and thus may have 

message to the appropriate block 317 for processing the * for different purposes; even 

revest. Block 317 may be ^ si ^^ 1 ^ nte ^^ within the same appHcation program. THe setTrows which 

conventional devic^vex, a portion ofthe operating system user> either^ecifically or by a group of 

213, in the server portion of a networked apphcation, or m 30 which ne ^nember, f orms a Jofue such as 2S2nd 253 

( other conventional ways. As mentioned previously, the ^^p«r 2 for that user 

/profile may also specify me manner ofprocessing a request ^"7" V™ . * ^ 
^ example; "subblock 318 may queue a batch-mode data-—' Column 402 lists the names of various apphcation pro- 
base query for later processing, or subblock 319 may route which are subject to resource manager 251, FIG. 
merequesttoadifferent^ 35 ^JS** bl °? 3 reco^s as 
In addition, server operating systems 213 frequently contain "compliant^ If an ^cation is compliaat, but is not 
conventional fadMeTfar balancing workloads in different ^ted many row of table 400 for a particular user or group, 
subsystemsofthenetworkiblockSMcould furnish priority ^« or group cannot execute the appucation 
information for the current user and application obtained program. (For implementation-speciiic reasons, block 311, 
from stored profiles at block 306. Line 320 returns data or 40 actually checks a physically separate table which 
any acknowledgements to the application executing inblock duplicates the information m columns 401 and 402.) 
312of the client " ~~ An entry in column 403 specifies one of the system 
RetarningTo block 312, there are various ways to couple resources potentially available to the apphcation program 
a profile to an application program so as to control which specified in column 402 of the same row. These resources 
system resources a particular user may obtain from that 45 ^ delude such functions as the previously mentioned 
appHcation. For example, a crude method would be to place interactive-query mode of any database program 
a sentry block (not shown) in line 316 so as to block distributed-data environment (DDE is a conventional 
unauthorized requests from ever reaching block 317. While method far su PP°rt, and printing on the system 
such an approach would work, it would create user confti- printers. 

sioo and frustration by presenting apparently valid choices 50 Column 404 specifies an initial access value for the 

in the application program which would return error mes- resource of column 403; e.g., a 4< NO" in column 404 of row 

sages when selected, or which might even falsely appear to 410 indicates that a user in the FINANCE group is blocked 

the user as system malfunctions. from using the interactive mode when the spreadsheet 

Many modem application programs 313 employ external application program is invoked at block 313, FIG. 3. That is, 

initialization (.INI) files, associated either with the specific 55 he can use only the batch mode for queries. Normally, users 

application or with the operating system 283, which contain would not be permitted to change their own authorizations 

specifications for executing the application* and/or which for a resource; however, it is sometimes useful to provide 

specify choices within the application or choices presented mi * capability. A "YES" entry in column 405 of the same 

to the user. For example, installing a new printer under the row means that a user in this group may, during execution 

Microsoft Windows operating system modifies a WIN- 60 of this program, later change his authorization so as to use 

DOWSJNI file to include a reference to the printer, so that the interactive mode. 

a separate word-processing program running under Win- The use of profiles in the present system allows a great 
dows can access that file for a list of currently installed deal of flexibility. Resources may be grouped, such as 

printers, and present that list— now including the new "system printers". Some resources may be permitted only 
printer— to a user when he requests a PRINT operation for 65 under certain limitations. For example, some database pro- 

a document within the word proces son Block 312 could thu s grams return a "cost** number denoting the estimated amount 
itself edit such an initialization file dynamically — that is, of processor time required for a particular query; an entry 
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such as "SMALL** in row 430 indicates that interactive 
queries are allowed to this user in this application when the 
estimated cost is below a predetermined threshold. This 
situation is quite common for many applications, as will be 
explained in connection with FIG. 5. Many combinations of 
resources can be specified, and varied needs can be accom- 
modated. For example, one user may be allowed to perform 
queries in the interactive (real-time) mode while running a 
customer-list application, yet the same user can be limited to 
batch mode — or to off-peak hours — while in a payroll 
application program, because running an entire payroll 
requires so much of the server's time that it should only be 
done when other demands are light. As another example of 
increased flexibility and granularity, resources can be treated 
differently depending upon where they are called from 
within a single application. For instance, the Sales Depart- 
ment group in FIG. 4 has the use of system printers, but a 
dedicated mailing-label printer could be made available as a 
choice only from a menu which appears at the end of a 
verification routine within the application program. 

The use of an existing system database to store the profiles 
as ordinary tables allows any existing data-entry program to 
serve as the profile generator 254 of FIG. 2. In systems 
where no such facility already exists, the invention may 
employ any conventional database program or ad hoc facil- 
ity for this purpose. 

FIG. 5 is a high-level block diagram of the client module 
of a typical application program 500, such as a query 
manager 290, FIG. 2, incorporating the present invention. 
For specific details, reference is made to the publicly avail- 
able Showcase Vista query application ("ShowCase" and 
"Vista" are trademarks of ShowCase Corporation). In an 
interactive application, normally the first operation after 
invocation is the display of a menu allowing the user to 
choose among several major tasks, such as query Input 520, 
data display 530, etc. The Vista application 500 has a set 510 
of identified menu objects associated with it Such objects 
can be created with conventional program-development 
tools. They conventionally include dialog panels, radio 
buttons, selection boxes, drop-down lists, and other con- 
structs. An application might display multiple constructs at 
the same time at different positions on the user's screen. That 
is, several types of choices might be available simulta- 
neously. 

During an execution of program 500, a block such as 521 
presents a query screen, block 522 receives a user's request, 
which is then checked at block 523. Block 524 then selects 
menu 515 for the user to choose a processing mode: 
interactive, batch, etc When the choice has been entered, 
block 525 sends the query and the mode choice to the 
database server module 220, FIG. 2, via client and server 
modules 270 and 240. Module 220 then processes the query 
and returns data to the database client module 290 at block 
526. This block may present a message or other indication 
to the user that the data has arrived, or may merely display 
the data. 

When task 520 has completed, application 500 returns to 
block 501, which then allows the user to choose any of the 
tasks 520-550. The other tasks 530-550 operate in an 
overall similar manner. Line 551 shows the end of execution 
of application 500. 

HO. 6 is a flowchart of a routine 600 for modifying the 
interface of an application program 500 as required by block 
312, FIG. 3. The individual menu objects 511-519 in FIG. 
5 initially include all choices available to any user at any 
time during execution. The purpose of routine €00 is to 
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modify the set 510 of menu objects for the specific appli- 
cation program 500 in accordance with the profile for the 
particular user who is currently executing that program. 

Block 312 enters routine 600 at line 601. Block 602 gets 
successive rows of the profile 252 for the current user. When 
there are no more rows, routine 600 exits at 603. 

Because profile 252 contains rows for all application 
programs available to the current user, block 604 selects 
only those rows relevant to the current application, as 
identified in column 402, FIG. 4. For a relevant row, block 
605 reads column 403 to determine which resource is being 
specified Block 606 finds a menu object in the set 510 which 
pertains to that resource. Block 607 determines from profile 
columns 404 and 405 what action is necessary to modify the 
object Blocks 608-611 indicate some of the actions that 
could be performed. Block 60S removes a choice from a 
selection list, radio-button set or similar construct, either 
totally or by graying it out on the construct Block 609 can 
add a choice which was not already on a selection list. Block 
20 610 removes an object altogether, so that no choice is 
available to the user. Block 611 sets a value, value range, or 
similar limitation into a list, dialog box, etc. Arte the proper 
operation, control returns to block 606 to find other menu 
objects. If there are no more, control returns to block 60*2. 

FIGS. 3 and 6 show the modification of menu objects 
511-519 as occurring before execution at block 313. FIG. 3 
additionally shows the user's profile being downloaded at 
the time the user signs on to a session at the client terminal 
In that case, the menu items can be changed from the server 
only session-by-session, and remain the same for all invo- 
cations of an application. It is also possible, however, to 
download profiles at other times, so as to allow menu items 
to change on a dynamic basis, whenever a system admin- 
istrator modifies a profile, or by some other factor, such as 
time of day, so that each execution of an application could 
present different sets of choices. Moreover, it is possible to 
run routine 600 during execution of the application program, 
so that menu choices could vary even during a single 
execution of an application. 

Having described a preferred embodiment and a few of 
the many variations and alternatives within the scope and 
spirit of the present invention which may occur to those 
skilled in the art, we claim: 

1. A method of managing a set of shared system resources 
in a computer network having at least one server coupled to 
a plurality of clients each containing a plurality of applica- 
tion programs executable by a plurality of users at said 
clients, said programs having interfaces for allowing said 
users to choose dynamically among said shared system 
resources, said method comprising: 

generating in said server a plurality of profiles specifying 
the allowability of individual ones of said shared sys- 
tem resources within particular ones of said application 
programs for certain ones of said users; 
identifying one of said users at one of said client com- 
puters; 

in response to said identification, selecting certain infor- 
mation from said profiles corresponding to said indi- 
vidual shared system resources for said particular appli- 
cation programs for said one identified user, 
detecting at said one client computer a request for a 
particular one of said application programs by said one 
user; 

dynamically modifying at least one of said user interfaces 
for said particular one application program in response 
to said certain profile information corresponding to said 
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identified one user for said particular one application 
program so as to make available to said one user only 
those of said shared system resources specified by said 
profile information for said particular one application 
program for said identified one user. 5 

2. A resource manager for a client/server network of 
computers coupled together by a communications means, 
said network executing a plurality of application programs 
having a server portion located in a server computer in said 
network and having a client portion located in one or more 10 
client computers in said network and invoked by one of a 
number of users, said network further including a plurality 

of different system resources potentially usable by said 
application programs and physically shared among said 
application programs, each said application-program client 15 
portion having a user interface from which said one user can 
select different ones of said system resources during an 
execution of said client portion, said resource manager 
comprising: 

a set of profiles, each profile specifying said one user and 20 
a number of said application programs, and specifying, 
for individual ones of said number of application 
programs, a number of particular ones of said shared 
system resources, and specifying, for each of said 
particular resources, a number of rights of said one user 25 
to each of said particular resources for each of said 
individual application programs; 

means for detecting the identity of said one user at any 
one of said one or more client computers, and for 
selecting that profile corresponding to said one user; 30 

means for selecting individual portions of said selected 
profile corresponding to said individual application 
program; 

means for modifying said user interface for said indi- 35 
vidua! application program in response to said indi- 
vidual portions of said selected profile so as to allow . 
said user at said client computer to choose only those 
of said shared system resources specified by said indi- 
vidual portions. 40 

3. An individual interactive application program execut- 
able by a number of users in a client/server computer 
network having a number of physically shared resources, 
said network containing a stored profile specifying a par- 
ticular one of said users, a number of application programs 45 
including said individual application program, and 
specifying, for each of said application programs, a number 

of selectable ones of said shared system resources, and 
specifying, for each of said selectable resources for each of 
said application programs, a number of rights of said par- 50 
ticular one user to each of said certain resources, said 
individual one application program comprising: 
means for selecting from said stored profile certain infor- 
mation peculiar to said individual application program 
for said particular one user; 55 
means for selecting among a plurality of functions in 

response to inputs from said one user; 
means responsive to said selecting means for performing 
said functions; 

60 

a number of user-interface means within said function- 
performing means, each of said user-interface means 
presenting to said one user choices among one of said 
shared system resources; 
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interface modifying means coupled to a plurality of said 
user-interface means for modifying said choices of 
respective ones of said shared system resources in 
response to said rights of said particular one user with 
respect to said individual application program as speci- 
fied in said profile information. 

4. The method of claim 1, wherein the step of generating, 
comprises the steps of: 

for each user, identifying one or more of said application 
programs which the user is authorized to execute; and 

for each authorized application program, identifying 
which shared system resources the user is permitted to 
access. 

5. A method of managing a set of shared system resources 
in a computer network having at least one server coupled to 
one or more clients, the one or more clients for use by one 
or more users, the one ctr more clients capable of executing 
a plurality of applications, comprising the steps of: 

generating a plurality of profiles in a server, the plurality 
of profiles specifying which shared system resources 
are available to a particular user for a particular appli- 
cation; 

identifying a user signing onto the computer network 

using a client; 
associating a profile of the plurality of profiles with the 

user; 

downloading profile information from the server to the 

client based on the profile; 
detecting a request for execution of an application by the 

user; 

identifying available shared system resources based on 
the user and the application using the profile informa- 
tion; and 

dynamically modifying a user interface to reflect the 
available shared system resources, to control access of 
the user to the set of shared system resources. 

6. The method of claim 5, wherein the step of dynamically 
modifying comprises the step of editing an external initial- 
ization file associated with the application according to the 
profile information, to control system resource options pre- 
sented to the user by the application. 

7. The method of claim 5, wherein the step of dynamically 
modifying comprises the step of controlling system resource 
options presented to the user by the application using a 
formal application program interface. 

8. The method of claim 5, wherein the step of generating 
a plurality of profiles comprises the step of: 

constructing a profile far each user, the profile including 
definitions of which applications the user is authorized, 
and for each authorized application, a definition of 
which shared system resources the user is permitted to 
access. 

9. The method of claim 8, wherein the step of detecting a 
request for execution of an application by the user, com- 
prises the steps of: 

comparing the application to the definitions in the profile 
for the user to determine if the user is authorized to 
execute the application; and 

if the user is authorized to execute the application, execut- 
ing the application. 

***** 
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